Hide application's startup

[quagmire1973]

Hey folks. Ok, so I have finally completed my new script which is used for killing various applications that are found running on a machine. It is working beautifully as we are now running this app off the network. Here's my issue though.

I want to be able to have this application run on startup on a local machine. Right now, users are executing the compiled script file from a login script. That's fine if they are logging into the network, but if it is a local computer, they don't get a script.

Now, before anyone says so, I don't want to use Run in the registry because the people we are trying to hide this script from are pretty adept. I want to be able to place the executable on their local machine, and then whenever a user logs on, it forces the application to launch.

I am working in the education field and the application is being loaded onto student's PC's. Our regular students always logon to the network, but IT students build their own domains and such so we want to restrict it based on the local machine for those students.

Other than using the Startup folder, or the Run entry in the registry, where else can I hide a startup file? I thought of creating the EXE as a system service but am not sure how to do that either.

Any suggestions would be appreciated. Thanks

[RocTx]

Try the following tool to run it as a service

Run As Service:

http://www.pirmasoft.com/runassvc.php

Or SrvAny:

http://support.microsoft.com/kb/q137890/

RocTx

Or this.. http://www.autoitscript.com/forum/index.ph...topic=15251&hl=

Edited August 29, 2005 by RocTx

[AutoChris]

If these guys have admin rights to their computers (they are able to modify the registry, so I am assuming they have hightened security privileges), then not only can they erase the registry entry under HKLM\...\Run but they can stop and disable services as well.

I think a good way to do it is to put it in the registry but put it in lesser-known locations like HKCU\...\Run or HKU\...\Run instead of HKLM\...\Run where most of the startup programs are located.

As RocTx suggested, I also use srvany to run AutoIt scripts as a service.

I also have some people in the company with Admin rights who do not like having VNC Server running on their computer. So sometimes you have to get sneaky and rename the service or put it in StartUp but rename it "Microsoft Office" or something (be sure to change the icon if you do this).

Good luck. I hope you find something that works.

[quagmire1973]

If these guys have admin rights to their computers (they are able to modify the registry, so I am assuming they have hightened security privileges), then not only can they erase the registry entry under HKLM\...\Run but they can stop and disable services as well.

I think a good way to do it is to put it in the registry but put it in lesser-known locations like HKCU\...\Run or HKU\...\Run instead of HKLM\...\Run where most of the startup programs are located.

As RocTx suggested, I also use srvany to run AutoIt scripts as a service.

I also have some people in the company with Admin rights who do not like having VNC Server running on their computer. So sometimes you have to get sneaky and rename the service or put it in StartUp but rename it "Microsoft Office" or something (be sure to change the icon if you do this).

Good luck. I hope you find something that works.

<{POST_SNAPBACK}>

See with these guys, the only thing I can think of really is to rename the file SVCHOST.EXE and have it run in the registry. Because SVCHOST is a normal system process, it will look normal in there. PLus, the program itself kills windows that it knows so I could include regedit, regedt32, and task manager in its data file. I just wish there was some other way to do this because I'd like to keep it hidden.

[Sokko]

If you can kill the regedit and task manager windows, you don't need to disguise the program as anything else. There's no need to hide it if it works well enough that there's no way to get rid of it. I have doubts on whether killing the task manager window is actually possible, though.

[AutoChris]

If you can kill the regedit and task manager windows, you don't need to disguise the program as anything else. There's no need to hide it if it works well enough that there's no way to get rid of it. I have doubts on whether killing the task manager window is actually possible, though.

<{POST_SNAPBACK}>

It is definitely possible to kill the Task Manager window, although I do not completely agree with that as a solution:

Start-> Run... -> "gpedit.msc" -> User Configuration -> Administrative Templates -> System -> Ctrl+Alt+Delete -> Remove Task Manager

Or in the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Key: DisableTaskMgr

Value: 1 (Disable Task Manager)

You can also just rename taskmgr.exe to something else so it will not appear.

[therks]

See with these guys, the only thing I can think of really is to rename the file SVCHOST.EXE and have it run in the registry.

<{POST_SNAPBACK}>

Why not rename it to SVCHOST, then using one of the options that RocTx provided, have it start as a system service. Although personally I could still get rid of it quite easily (there's a program called Process Mate which is like the Task Manager, only it tells you the location of the .exe as well).

[jftuga]

A program called Autoruns, from www.sysinternals.com, will list everywhere that a program can be configured to start at boot & login.

http://www.sysinternals.com/Utilities/Autoruns.html

-John

[quagmire1973]

Why not rename it to SVCHOST, then using one of the options that RocTx provided, have it start as a system service. Although personally I could still get rid of it quite easily (there's a program called Process Mate which is like the Task Manager, only it tells you the location of the .exe as well).

<{POST_SNAPBACK}>

See that's the problem I have as well. If the program identifies Task Manager, it kills Task Manager. Not a problem. But 3rd party apps will detect it so I need to find a way to hide the app from process listers.

I also thought that I might be able to have the program delete it's own entry in the registry upon startup, and when the program exits, it recreates the key. So as long as the app is active, you can't see it in ANY kind of registry editor, regardless of the brand.

Doesn't solve the issue of hiding it as a system process though. I think the SVCHOST.EXE is probably my best bet.

[Gigglestick]

See that's the problem I have as well. If the program identifies Task Manager, it kills Task Manager. Not a problem. But 3rd party apps will detect it so I need to find a way to hide the app from process listers.

Search the Web for these types of utilities, and use the ones mentioned above and add them to the list of processes to be killed. Possibly any task with "task" in the process name also? Maybe overkill. It would be nice if you could "hook" into Windows and intercept calls to get process lists, and either return an empty list to the calling app, or kill that app.

I also thought that I might be able to have the program delete it's own entry in the registry upon startup, and when the program exits, it recreates the key. So as long as the app is active, you can't see it in ANY kind of registry editor, regardless of the brand.

Check out OnAutoItStart and OnAutoItExit functions in the beta and do your RegDelete's and RegWrite's there.

[Gigglestick]

Start-> Run... -> "gpedit.msc" -> User Configuration -> Administrative Templates -> System -> Ctrl+Alt+Delete -> Remove Task Manager

Or in the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Key: DisableTaskMgr

Value: 1 (Disable Task Manager)

Domain policies can override these settings.

[Gigglestick]

Oh, I just thought of something to try.

I remember having to go to extraordinary lengths to kill a virus on my Dad's computer that ran two processes. Each process watched for the other one and started it if it wasn't running. It was impossible to kill both with any task killing utility I could find, including Task Manager. Ultimately, booting in Safe Mode and cleaning it up is easy to do, but it's also a hassle.

Anyway, have the process check to see if it is already running, and if not, it starts another instance of itself. Both constantly check to make sure that there are two of itself running, and it starts itself again if it doesn't find two.

Also, if you go with the SVCHOST.EXE idea, you might want to make sure it uses about the same amount of memory that something running in the real SVCHOST.EXE process uses, as well as keeping the CPU usage about the same so as not to "float" to the top or bottom of a process list if they find a way to get around your process killer and get a list of processes.

[Nova]

Try this, name your exe winlogon.exe, excute it and then try to kill it using taskmgr, ull get a msg saying its a vital system process and u cannot kill it.

It can still be removed by the safe mode method mentioned above.

Only ever tryed this on winxp pro.

[Raindancer]

Why would one need such a program?

[SmOke_N]

Don't let Dev / Null see this post

[JSThePatriot]

Don't let Dev / Null see this post

<{POST_SNAPBACK}>

lol, I would have to say though he is a pretty good AV..

I appreciate the watchfulness he exerts, and the research he does.

JS

[SmOke_N]

No kidding... but I saw this post yesterday... and was surprised to see so many answers today to it... let alone our WARNING!!! Label wasn't on it yet

[quagmire1973]

Why would one need such a program?

<{POST_SNAPBACK}>

Don't be so paranoid

Its an app that is used to kill application that are not "authorized" in an educational environment.

[JSThePatriot]

Don't be so paranoid

Its an app that is used to kill application that are not "authorized" in an educational environment.

<{POST_SNAPBACK}>

If you take a look at alot of the recent posts on this forum, then you will see why we are paranoid, and that we have good reason to be. AutoIt has several times been quarantined by AV vendors due to one person's stupidity in making a script that harmed a system. We dont want AutoIt used in a wrongful manner if possible to avoid.

JS

[SmOke_N]

If you noticed... Sim / infernosomething / blah or whoever he's calling himself these days... has a post on the board from today ... using exactly what you have asked (changing the executible name to svchost). Now if you look at his former post... he would of never had thought of that on his own, or even known to look for it.

Post Specific, like these are better kept in private via Personal Messenger even if they are purley for educational uses IMO.

Now working in the education field... I'm sure you can understand that...

I'd be willing to bet that 98% of the user base would be a bit peeved if they suddenly started getting complaints that their programs were black balled because of something silly that could of been overcome with a bit of common sense/courtesy.

I'm not doubting your intentions... just playing the "Cautious Child".